Skip to content

LibRaw: Uninitialized memory disclosure via LibRaw_buffer_datastream::read

High
rcorrea35 published GHSA-cmhf-chvw-6c7j Oct 22, 2024

Package

LibRaw

Affected versions

0.21.2

Patched versions

None

Description

Summary

Uninitialized memory disclosure can be achieved by parsing a truncated RAW picture.

Severity

High - It is possible to exploit the vulnerable pattern in multiple ways and it may lead to complete memory reconstruction of the target allocation - whose size is controllable through TIFF tags - by an attacker with access to the bitmap result or the parsed metadata.

Proof of Concept

  1. Compile LibRaw following the instructions on https://github.com/LibRaw/LibRaw/blob/0.21.2/INSTALL
  2. Run the bin/simple_dcraw sample binary with the provided file: bin/simple_dcraw poc.bin

Further Analysis

LibRaw supports a wide range of RAW picture formats. In order to do so, it employs a format recognition system based on which TIFF tags are found in the file. Once a format is recognized, the load_raw function pointer - responsible for extracting the raw image from the input file - is populated with the appropriate handler. Such functions commonly use LibRaw_buffer_datastream::read to read from the input buffer, which is semantically equivalent to libc’s fread. A number of load_raw functions [1] do not check the return value of LibRaw_buffer_datastream::read or if the end of input has been reached. This leaves part of the raw image backing buffer uninitialized and allows an attacker to reconstruct portions of heap memory by analyzing the bitmap result. Similarly, some metadata [2] is parsed via the same API and may allow an attacker with access to the parsed metadata to directly read uninitialized heap memory.

These functions are affected by the vulnerable pattern:
[1]

[2]

Timeline

Date reported: 09/13/2024
Date fixed: 09/18/2024
Date disclosed: 10/18/2024

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs

Credits